Android fragmented device market = high risk mobile platform

The market of mobile devices is experiencing faster growth than the PC, and with that growth comes user adoption, the need to enable systems to interoperate, and of course keep the data flowing. The challenge on mobile devices crosses many spectrums, but one area to highlight deals with the variety of “branches” of the Android operating system and device platforms.

A nice visual was put together over at OpenSignalMaps that shows the variant of devices running the Android OS based on their application collected data. This is by no means a complete list, but it effectively defines the problem space. There are a lot of platforms that can run Android, have apps installed, and each can be utilized by the consumer. This trend will only radically increase as more and more devices are enabled through Android licenses (TVs, cars, toasters, space ships, etc…). The latest iterations from Amazon are a great demonstration of custom hardware, blended operating system components, and user linked service providers to application and device.

A quick bit of details on their findings – total distinct devices 3,997! Though 1,363 were only seen once – may result of data source and one-hit wonders. Still that is a very large population. The device model breakdown is the top graphic .. the authors provided a number of different slices of the data, and it is worth reviewing.

As for an information security and compliance perspective, below are two key areas – software updates & chipsets:

Software updates … not timely, consistent, or completely absent depending on the platform. This relates to the Apps compatibility with the platform and OS. The operating system itself as highlighted on Google’s own dashboard shows a broader active OS base across legacy operating systems than Apple. The lack of software updates – being applied; existing, and being compatible must be mitigated. The problem must be framed here properly – Updates in the “new” mobile world are not always to patch security vulnerabilities. Some, many, make feature updates that are user focused / backend improvements, etc… Therefore some updates (read; SOME) are not necessary but are nice to haves. The business needs to integrate these considerations within the broader IT framework management structure to ensure that risks are mitigated that exist. Sometimes updating to the latest version (to get rid of that nasty little red number) is not the right course of action.

Hardware chipsets… not to be trusted. The hardware that makes up these tablets is based on a global supply chain. As organizations move beyond single vendor sourcing (ahh, the good ol’ days of Blackberry – yes I said it), to multi vendor / platform, awareness of the hardware becomes important. Hardware is specifically a risk to be addressed when the focus is on High Value Assets and Persons. Meaning those who have access to that type of data or are likely targets of attacks. It it those persons you would manage the device platform selection upon. The number of poisoned chipsets coming out of China and other areas is increasing. An appropriate level of consideration is important. Beyond poisoned chipsets (i.e., malware / trojans built in), some chipsets have flawed designs that are identified by researchers (and published such as at DefCon), and always utilized by attackers in the wild.

There are other areas of consideration, but the two above draw on the 80/20 rule… would love other thoughts here!

Google also has a developer dashboard that highlights information about the deployed operating system distribution and adoption (as recorded based on connection to Google’s Play) that is worth visiting.

To sum it up …Having worked with clients to understand, frame, and execute plans that embrace mobile technology across their business requires an understanding of what is the opportunity space. Each enterprise is a bit different as a result of industry, age of company, and of course their business objectives. The challenge of a fragmented (Android) market space is that it creates risks that need to be viewed across a spectrum within the organization. The fragmentation is not obvious (not 1,000+ iterations!) and so the field of risk is not within line of site. Organizations tend to go through phases when adopting mobile technology (consumerization) – block; deny; resist; deny without blocking; and finally yield… Given the fragmentation mature businesses move beyond simple prohibition, but instead initiate a process to put in place information security safeguards to mitigate the risk to an effective level.

The authors of the original study made a good point at the end – the blessing and curse of Android is the fragmentation and not knowing where the application will run and on what hardware (country, etc…). Finding an operational balance is the key.